Companies using Symantec's Veritas Backup Exec are facing a dilemma after Symantec warned of security flaws in the software, but pulled some of the patches due to quality issues.
Symantec warned that flaws in the Backup Exec Remote Agent could allow attackers to cause memory access violations or use up all system resources, causing the system to crash and lose backup capability.
While only moderately serious in itself, the bug could be a big problem due to the way Backup Exec is typically used, according to the SANS Institute's Internet Storm Center (ISC). "Considering that this is typically used for backups of critical data, the severity could be pretty high," wrote handler Bojan Zdrnja on the ISC website. "It's easy to imagine a scenario when you need business critical data that was supposed to be backed up yesterday, but it wasn't due to the Backup Exec crashing."
Affected versions include Backup Exec 10.x and 9.x and Backup Exec Remote Agent 10.x and 9.x for Windows Servers (RAWS).
Ordinarily, companies could solve the problem just by applying Symantec's patch. In this case, though, there are two problems: one is that some users have experienced problems with some of the patches, according to the ISC. The other is that some of the patches are no longer available, having been withdrawn by Symantec.
The company withdrew two RAWS patches, affecting different versions of Remote Agent for Windows Servers, and said in an advisory that they would be re-released "shortly". Patches for Remote Agent for Linux and Unix Servers (RALUS) are all available.
Symantec also warned of a low-risk bug in the Job Engine service, which can only be exploited under particular conditions.